Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Sep 2010 21:53:36 -0400
From:      "Andriy Bakay" <andriy@irbisnet.com>
To:        "Pawel Jakub Dawidek" <pjd@freebsd.org>
Cc:        "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
Subject:   Re: ZFS + GELI data integrity
Message-ID:  <op.vi7gvmex6f601j@prime.irbisnet.com>
In-Reply-To: <20100917192938.GB1902@garage.freebsd.pl>
References:  <op.vi433pxp6f601j@prime.irbisnet.com> <20100917192938.GB1902@garage.freebsd.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, Pawel for detailed answer.

Turn off ZFS checksum is not a option at least for me, because I will  
loose self healing I guess. But (ZFS with SHA256) + (GELI only encryption)  
sounds good.

I have another question. I read on OpenSolaris ZFS Dedup FAQ, they used  
not very efficient implementation of ZFS SHA256 checksum:

"However, ZFS uses its own copy of SHA256 and doesn't currently use a  
crypto accelerator or crypto framework."

http://hub.opensolaris.org/bin/view/Community+Group+zfs/dedup

What about FreeBSD implementation of ZFS SHA256 checksum?

Thanks,
Andriy

On Fri, 17 Sep 2010 15:29:38 -0400, Pawel Jakub Dawidek <pjd@freebsd.org>  
wrote:

> On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote:
>> Hi list(s),
>>
>> I am using ZFS on top of GELI. Does exists any practical reason to  
>> enable
>> GELI data authentication (data integrity) underneath of ZFS? I  
>> understand
>> GELI data integrity is cryptographically strong -- up to HMAC/SHA512,  
>> but
>> ZFS has SHA256 checksum. GELI linked data to sector and will detect if
>> somebody move data around, but my understanding is to move data around
>> consistently one need to decrypt it which is very difficult. Correct me  
>> if
>> I wrong.
>>
>> Any thoughts?
>
> ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree),
> so if you're using cryptographically strong hash, like sha256 within
> your pool, I believe it is safe not to use GELI data authentication, but
> only encryption. Note, that I'm not cryptographer and this is quite
> complex scenario, so what I believe in here might not be true.
> Alternatively you could use GELI authetication and turn off ZFS
> checksum. When I personally use ZFS on top of GELI, I do just that: GELI
> does encryption only and ZFS does authentication with SHA256 checksum.
>


-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.vi7gvmex6f601j>